Secure Access to Web Applications with F5 and Okta using SAML 2.0 (2 of 2)

This article is the second in a two-part series.
Go to Part 1 here: Secure Access to Web Applications with F5 and Okta using SAML 2.0 (1 of 2)

Step 2: Configure F5 BIG-IP APM as SAML SP for the Application

Refer to the step by step instructions and screenshots below to configure F5 BIG-IP APM as SAML SA for a new application called app.f5sec.net.

2.1 Import Certificate for the Application

Import the certificate for app.f5sec.net. This certificate will be later referenced when configuring the application.

• Log in to the F5 BIG-IP System.

• On the F5 Configuration Utility (Web UI) Main menu, navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.

• On the Traffic Certificate Management page, click the Import button on the right-hand corner.

• On the SSL Certificate/Key Source page, select Key from the Import Type drop-down box.

• Specify a Key Name and browse to the folder that contains the Key. After selecting the key file, click Import.

• Back in the Traffic Certificate Management page, click on the imported Key name.

• In the General Properties page, click on the Import button.

• Browse to the folder that contains the Certificate. After selecting the certificate file, click Import.

Figure 9: Importing application certificate and key

2.2 Using Guided Configuration

The F5 BIG-IP APM Guided Configuration presents a completely new and streamlined user experience. This workflow-based architecture provides intuitive configuration steps tailored for a selected use case.

The steps below will walk through the Guided Configuration to build the application and configure F5 BIG-IP APM as SAML SP.

• On the F5 Web UI Main menu, navigate to Access > Guided Configuration.

• Click on the Federation tile. From the expanded option, click on the SAML Service Provider tile.

Figure 10: Guided configuration initial selection.

• Take a moment to review the various configuration options on the SAML Service Provider page.

Figure 11: SAML Service Provider page

• Satisfy any of the DNS, NTP, Interface, VLAN, Route, and Self IP configuration prerequisites from this initial configuration page.

• Scroll down and click Next.

2.2.1 Configure Service Provider Properties

• To configure these properties, follow the guidance below.

Figure 12: Sample ‘Service Provider Properties’ configuration.

• Accept the remaining default entries and click Save & Next.

2.2.2 Configure Virtual Server Properties

• To configure a virtual server for the app, follow these steps.

Figure 13: Sample ‘Virtual Server Properties’ configuration.

• Click Save & Next.

2.2.3 Configure Okta Identity Provider Connector

• To configure Okta as the external SAML IdP provider, follow the steps below.

Figure 14: Sample Okta IdP configuration.

• Click Save & Next.

2.2.4 Create a Pool

• To create a load balancing pool of application servers, follow the steps below.

Figure 15: Sample ‘Pool Properties’ configuration.

• Click Save & Next.

2.2.5 Configure Single Sign-On Settings

• To configure Okta as the external SAML IdP provided, follow the steps below.

Figure 16: Sample ‘Single Sign-on Settings’ configuration.

• Click Save & Next.

2.2.6 Endpoint Checks

Select the Enable Endpoint Checks radio button to enable endpoint checks. For this demonstration, we will leave this setting at default.

Figure 17: 'Endpoint Checks Properties' page to enable and configure endpoint checks.

• Click Save & Next.

2.2.7 Session Management

Leave the Timeout Settings at default.

Figure 18: Default timeout settings

• Click Save & Next.

2.2.8 Summary

Review the Summary screen. When done, scroll down and click Deploy.

Figure 20: Confirmation of a successful deployment.

• Click on the Finish button.

This completes the F5 BIG-IP APM configuration.

Step 3: Verification

We will verify the solution by accessing app.f5sec.net.

• Open a web browser on an end host and navigate to https://app.f5sec.net. Notice the request will be redirected to Okta.com for user authentication.

Figure 21: Redirection to Okta for user authentication.

• The application default web page prints all the headers. Notice that the HTTP_MYAUTHORIZATION header has been inserted with the appropriate value.